Cyber shield for private sector sparks Big Brother fears

Is an NSA program to defend corporate critical infrastructure a step toward a surveillance state?

By Amber Corrin

Jul 08, 2010

The National Security Agency's new program to shield the networks of privately owned utilities and other critical infrastructure companies has caused some people to fear it's a step toward a surveillance state or a government power grab.

Named "Perfect Citizen," the plan is designed to detect cyber assaults that could potentially threaten critical infrastructure, which includes the electric grid, power companies, nuclear power plants, transportation, health care facilities and other necessities of modern life, according to a report in the Wall Street Journal. It would also deal with the networks of defense contractors and companies such as Google, which asked NSA for help after a major cyberattack last year.

The government would deploy sensors on the privately owned networks to identify unusual activity that could signal a potential intrusion or threat, but would not necessarily continuously monitor the networks.

According to the report, Raytheon has received a $100 million classified contract to start work on the program. No comment was available from either the NSA or Raytheon.

The program’s revelation has triggered a wave of concerns and outcry over the surveillance aspect and the potential for invasion of privacy. Even in Raytheon there is disagreement over the program – an internal e-mail message leaked to the WSJ said, “The overall purpose of the [program] is our Government...feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security. Perfect Citizen is Big Brother.”

"Big Brother" is the name for the dictator who oversees the oppressive -- and hyper surveillant -- government in George Orwell's dystopian novel "1984."

Jim Harper, writing for the libertarian Cato Institute, criticized the program's secrecy and potential expansion. "Benign intentions do not control future results, and government surveillance of the Internet for 'cybersecurity' may warp over time to surveillance for ideological and political purposes," he wrote.

However, government officials say such a program is critical for protecting national security. At a cybersecurity symposium held by AFCEA in Washington today, officials warned of the dire consequences of failing to protect the networks behind the country’s most important utilities and communications systems.

“It’s important for the public to understand there’s a lot at risk. We need to think about [security] differently than in the past,” said Army Brig. Gen. John Davis, director of current operations at the U.S. Cyber Command. CyberCom is tied to the NSA, including by the leadership of Gen. Keith Alexander, who heads both organizations.

“We need a regime where we can respond to incidents,” Davis said.

Writing in PC World, Tony Bradley acknowledged the concerns while defending the program. "The name -- Perfect Citizen -- seems overtly Orwellian. The first thing that pops into my mind when reading about this program is the movie Eagle Eye, or HAL from Arthur C. Clarke's Space Odyssey saga. But, oppressive 'Newspeak' naming aside, the premise of the program seems both valuable and long overdue," he wrote.

However, Bradley added, "The concern is that Perfect Citizen could be just the beginning, or that the NSA will overstep its bounds and essentially monitor all domestic network activity. Access to critical infrastructure networks might also provide the NSA with access to details regarding the power usage, or travel plans of companies and individual citizens.

"It is a difficult balance to strike. ... Given the recent history of the NSA, it is easy to jump to insidious conspiracy theory conclusions. However, this is a long overdue step in safeguarding the critical infrastructure of the nation, and will hopefully be a first step in fostering more cooperation between public and private sector -- as well as between various private sector companies -- to collaborate on intelligence gathering and effective defense against cyberattacks."

Bruce Held, director of intelligence and counter-intelligence at the Energy Department, said being aggressive is vital for national cybersecurity. “With static cyber defense you can never win against an agile defense,” Held said.

In May, Deputy Defense Secretary William Lynn said the Defense Department is considering measures to protect the private networks with vulnerabilities that could threaten national security. He said a task force had been formed to determine an “enduring security framework” to examine the issues surrounding critical infrastructure network security.

inside gcn

Reader Comments

Thu, Jul 15, 2010
Jeffrey A. Williams
Frisco Texas

I find it rather ironic that Google, the biggest security risk contractor on the planet is making such a request.

Wed, Jul 14, 2010

Often, the verbiage coming out of the agencies or being translated by the media can be ... contradictory. Evidence the "The government would deploy sensors on the privately owned networks to identify unusual activity that could signal a potential intrusion or threat, but would not necessarily continuously monitor the networks." -- If the sensors would identify unusual activity, it would be because they are CONTINUOUSLY MONITORING. Not to mention the ambiguous nature of Government Sensors on PRIVATE NETWORKS. It's not PRIVATE, then, is it? What do they monitor? "Activity"? And what would the sensors DO? Just putting a thermometer somewhere doesn't do any good unless someone reads the temperature. The sensors have to report somewhere. Where? If these were truly private networks, then the owner would monitor on their own behalf -- possibly reporting activity to the government based on their best judgement. With the government monitoring, there's nothing to say that the government wouldn't go "one step beyond" each case, looking for IPs, casual traffic patterns, words, or whatever. WOULD it come down to "we noticed that you were reading about barbequeing, and based on the National Health Codes, over-consumption of... blah, blah, blah. " or "On July 13th, at 1:52pm, you were searching prices for cruise ship packages. Based on your last IRS Return, the wages reported by your employer, and your recent bank and credit statements, we have decided that you can't really afford a cruise and we have put you on the 'do not cruise' list. Unless you happen to have some other savings or income that we do not know about, in which case, we are also reviewing your Tax Returns for the last decade. Have a nice day." Could it happen? Not WOULD it happen, but COULD it happen?

Wed, Jul 14, 2010
A Citizen
Washington, DC

Assistance from the Government, when requested, should b e considered a good thing, in my opinion. Google asking for help and getting it seems reasonable. Security developed by the Government where it did not occur and does not need to occur (in my opinion) is not a good thing. The Government created a new rule restricting flight in certain areas in this country after 9/11 on general aviation. Problem is, 9/11 did not involve general aviation. the government created restrictions where they did not apply. Same might happen in the IT field if we are not careful. Intelligent conversation with our governmental representatives is the way to go. Find an interested Senator or Representative.

Mon, Jul 12, 2010

I see big brother is already with us - My comments to this posting,from last Friday have been edited out and do not appear. I this continues, my online subscription to FCW will go the same way.

Mon, Jul 12, 2010
concerned citizen

Perhaps they should start with the banks. I am constantly amazed at the lack of security on the banking systems.